In Good Luck We Trust . .

The Stories Continue

What were we thinking?

What were we thinking?

What was I thinking?

Back in May, I celebrated CIO's 100th issue by introducing a continuing series - CIO Retrospectives: Seminal Issues & Technologies - where CIO writers revisit seminal events, issues and technologies we've covered over the years.

If you're a new reader, or need a bit of a reminder regarding the "how's" and "why's" of this particular exercise, here's our premise. The writers are to kick off with "What were we thinking" - that is, why we all believed the selected story was important and the pervasive mind-set at the time among users, observers and (occasionally) vendors. Then, in some instances at least, the writer looks back and casts a jaded eye - that is, "What were we thinking?" - over the topic.

Thus far, we've covered a number of issues, including the likes of Y2K, "IT Doesn't Matter", the skills crisis (or lack thereof) and dotcom mania.

This month CIO writers cast their respective eyes backwards at that plucky tag-team of security and privacy. (While privacy is a one-off, the ever-changing nature of security means we'll be revisiting that particular topic more than once in this series.)

As always, I'm happy to entertain your suggestions for other "seminal" technologies or issues we should cover.

LK

linda_kennedy@idg.com

Page Break

For a very long while I was an utter dunderhead about computer security.

The first PC my partner and I ever owned - purchased long before most of our friends and family had one - was a 1984 Wang PC with a massive 256K RAM and a 10MB Winchester drive. A state-of-the art machine, it ran Wang WP and Multiplan and you transferred data via a 51/4-inch 360K floppy. Not that there were that many people to transfer data to, you understand: there were just 400,000 PCs installed in all of Australia, and it would take a further two years for even 8 percent of computers in this country to be networked.

Being a reasonably early adopter was great, but with only a couple of editors and business clients to share floppy disks with it was harder to get into trouble than it was to stay unmolested. This soon-to-be-false sense of security in turn encouraged some rather shoddy computing habits. After all, with a relatively stable operating system and no external interfaces, who needed to worry their pretty little heads about security?

Sure, it was a time when intruders were finding ways to exploit relatively simple weaknesses, such as poor passwords and badly configured systems that allowed relatively easy access to some systems. But that usually meant physically getting to the computer first, and even if wicked people had crept into our home to access our PC, what was there to steal?

By the time CIO magazine was born the security picture was, of course, dramatically different, but my computing habits had altered barely at all.

The year CIO launched some 5.8 million Australian households had PCs and the Internet was connecting something like 13 million computers in 195 countries on every continent, including Antarctica. Businesses and people across the globe were discovering the joys of being able to reach distant points on the network on demand. The Communication Futures Final Report (BTCE 1994b, 12) describes the growth of data networks at the time as "astounding", with some 50 percent of computers networked in 1993 as against only 8 percent in 1986.

As far as security goes, things were starting to get truly hairy. Intruders no longer had to enter your office or home to steal or tamper with your information. Clever hackers were figuring out brand new ways to create new electronic files, run their own programs on other people's machines and hide evidence of their unauthorized activity. And they were, as they remain, always a step ahead of the security experts trying to thwart them.

The upshot was that computer intrusions, and the sophistication of attacks, were growing along with the number of PCs, as all that convenience and easy access to information created an explosion in risk. "In eight years of operation, the CERT Coordination Centre has seen intruders demonstrate increased technical knowledge, develop new ways to exploit system vulnerabilities, and create software tools to automate attacks. At the same time, intruders with little technical knowledge are becoming more effective as the sophisticated intruders share their knowledge and tools," CERT reported at the time.

As you would expect of any business and IT journalist, my knowledge about computer security and the management of risk was growing exponentially too, as I researched and wrote on the subject for CIO magazine and PC World. Not that any of that newfound expertise did me an ounce of good personally.

"More than at any other time in the history of the industrialized world, the health of the corporation is directly related to the security of its data," I wrote in May 1997. "When it comes to IT&T security, two truisms come to mind: You never know how secure your systems are until the day someone tries to break in, and relying on faulty security can be worse than having no security at all. Taken together, these truisms present IT managers with some interesting challenges, particularly in light of the industry's track record of major security exposures being discovered only well after release of a security product to market.

"Take the security flaws within Netscape Communications' Navigator browser and SunSoft's Java code discovered by graduate students at Princeton University last May, or the theoretical security defect discovered within implementations of smart cards by computer scientists at Bell Corp last September. If they tell you anything, such incidents tell you no one can take security on trust any more."

If only I'd listened to me . . .

Page Break

In another article, I warned of growing threats from hackers. "Early in 1997 the Office of Strategic Crime Assessment (OSCA) conducted a study on computer crime and security, canvassing a number of Australia's top 500 companies and government. It showed that while in the past most attacks on systems had been by insiders, attacks from the outside are now on the increase.

"So is Australia vulnerable to criminal or terrorist attack against its information infrastructure? Is the Pope a Catholic? Is the Millennium Bug a headache? You bet your sweet life."

I also wrote: "Corporations spend billions each year protecting the confidentiality and integrity of their information. You and your team may excel in using data encryption and key management to protect your secrets and stop your data from being modified. You can create strong user identification and authentication; you put immense effort into ensuring backup and redundancy are in place and fully working; you put firewalls in place or air gap your systems to protect against intrusion. What you cannot be expected to defend against is denial-of-service attacks, electromagnetic pulse bombs (EMP) or other deliberate criminal assaults against crucial infrastructure components."

Hardly a Clue

The extent of Internet-related fraud was an eyebrow-raiser. A 1997 Deloitte & Touche report commissioned by the European Union found cross-border fraud involving Internet abuse, smuggling, banking and investment frauds was costing society $US77 billion a year. Of those, the largest single threat came from Internet fraud because of the vulnerability of encryption technology to sophisticated computer vandalism.

In Australia, business and regulatory authorities were warning about the massive potential for fraud to cross borders and for international shysters to "eat into the Australian economy", partly because of the trend towards e-commerce.

The report Taking Fraud Seriously: Issues and Strategies for Reform estimated fraud was costing Australia more than $3.5 billion a year and adding $21 to the cost of each insurance policy. Written by the Australian Institute of Criminology for the Institute of Chartered Accountants Fraud Advisory Council, the report noted the global electronic village had brought about a significant growth in fraud opportunity through new products, services and service delivery channels. Yet there had been no concomitant improvement in detection and prosecution, with fraud control, detection and prosecution techniques all being run at national levels, rather than under an international approach. Technology-induced globalization was compounding the problem.

"This is no more apparent than in the financial sector," the report said. "Bonnie and Clyde no longer have to turn up at a branch in order to rob the bank. Indeed, if they did, they would be severely limiting their potential 'take'. They would now be more likely to try to rob the bank through a technology-assisted approach, from the other side of the world."

All of it was true, but in my writings, richly peppered with other people's sage advice, I sadly (and foolishly) found little to personally relate to. After all, I was not an IT manager. I was sitting here at home, minding my own business, as it were. What, me worry?

You see, in my experience a competent journalist, given sufficient time and access to the experts, can write intelligibly and intelligently about almost any subject. That doesn't guarantee they will take any of that wisdom to heart, especially when it has been drilled into them that good journalists leave themselves entirely out of any story. Indeed, it was in accumulating knowledge about IT security that I first started to appreciate that writing meaningfully about a subject and internalizing that knowledge are two different things. So I wrote frequently about corporate security and read about it even more often, watching with the sort of detached cynicism that comes naturally to many journalists as business after business got into deep doo-doo.

Then I suffered my first virus attack (and yes, I did say first: there were indeed more to come - talk about a slow learner), experienced a calamitous loss of data and cost myself hours of pointless work.

Now you might choose to liken that to renowned Bear-of-Little-Brain Winnie the Poo smugly contemplating the air-headed antics of Rabbit or Eeyore and feeling nicely superior. I might lamely reply that actually I scored rather highly on Stanford-Binet and achieved a very good academic degree, thank you very much, but basically, you'd be right. I was indefensibly stupid, and I paid a very high price for that stupidity.

And in that, I think, I mirrored very many people in Australia and around the world.

I know better these days of course - enough to take strenuous steps every day and week to protect and back up my systems, and enough to know that even my best efforts might one day prove inadequate. Hey! Even a Bear-of-Little-Brain can sometimes learn from her mistakes.

(And I know, I know, the sub-title of this piece references the Donkey, not the Bear, but isn't that what many of us feel like when we succumb to a security threat?)